RSS feed Get our RSS feed

News by Topic

BizReport : Internet Marketing 101 : November 14, 2020

GDPR and the US: How Are Things Going for American Companies?

The General Data Protection Regulation (GDPR) made history when it went into effect in 2018. Not only did it replace previous data protection laws in the EU, it also threw down the gauntlet for any and all organisations doing business in the EU, whether they had physical operations in Europe or not. One of the most deeply affected jurisdictions outside of Europe is the US. So how are things going for American companies?

The global nature of the US economy almost forces businesses to pursue customers in Europe. Many companies have a physical presence in EU countries, but many others do not. Those that don't must still comply with the GDPR as long as they collect and store information from EU citizens and residents.

More than two years in, the GDPR seems to have accomplished most of its goals within the EU. As for the rest of the world, it is a mixed bag. Given that some experts are predicting something similar will eventually be implemented in the US, it is worth discussing the current data protection environment there.

No Love from Washington

It was clear that Washington would not be happy with the GDPR way back in 2016 when MPs started talking about it. This should be no surprise. A number of politicians and Washington bureaucrats seem to think that American organizations should be able to do with collected data whatever they choose. But in recent years, the argument against GDPR protections has taken a different turn.

The Trump administration has maintained for a while that the GDPR offers cover for cybercriminals and other bad actors. Officials contend that the strict and uncompromising nature of data privacy rules prevents law enforcement agencies from fully investigating crimes. They say it prevents the military from maximising intelligence opportunities.

Simply put, the GDPR doesn't enjoy much love from Washington. At least some US politicians would probably be happy to see it go. That is not going to happen, so politicians and bureaucrats are going to have to work together to solve any problems related to cybercrime and global terrorism.

A Patchwork of State Laws

The US still doesn't have a comprehensive data protection law at the national level. What's more, it's not likely to ever have one. America's constitutional framework makes it too difficult for the federal government to enact such sweeping regulation. Thus, any implementation of data protection laws is likely to manifest itself as a patchwork of state laws.

Thus far, only California has enacted a data protection law. It went into effect in January 2020. While not as comprehensive as the GDPR, it is a solid piece of legislation. Experts in the US seem to think that other states will eventually follow California's lead. It would be no surprise if that happened. Many things that eventually become nationwide in the United States start in California.

The one thing you will not see is a cut-and-paste of the GDPR into state law books. Again, America's form of governance would not allow it. There are too many provisions that would not hold up under the scrutiny of state constitutions. Still, it is not beyond the realm of possibility that some states will use the GDPR as a blueprint for their regulations.

Businesses Must Adapt

In the meantime, any US businesses collecting and storing information provided by EU residents must comply with the GDPR. That means they must also adapt. The challenge is figuring out how far to take data protection. Does a company implement one set of standards for EU customers and a completely different set for everyone else?

A GDPR audit for American tech firms seems in order here, especially since a fair number of tech companies operate on a global scale. Consider Facebook, Google, and Zoom. All three are global tech companies based in the US. They have to comply with the GDPR where it impacts their users in the EU.

A GDPR audit would tell them exactly how effectively they are complying. It might also reveal how they can apply GDPR standards to the data protection they offer customers outside the EU. Perhaps an audit would prompt them to adopt the same standards across all of their operations.

Smaller companies can benefit from audits as well. They may not be swayed to adopt a single set of global standards, but an audit can at least tell them how they are doing with compliance. American companies of all sizes need to know that much to avoid running afoul of the law.

The GDPR was put in place to protect the rights of individual consumers. It seems to have achieved most of its goals within the EU. Elsewhere, there is still work to be done. That includes the US. At some point, the US will probably have its own version of the GDPR in place. Whether it complements EU regulations or competes against them remains to be seen.


Subscribe to BizReport



Copyright © 1999- BizReport. All rights reserved.
Republication or redistribution of BizReport content is expressly prohibited without the prior written consent.
BizReport shall not be liable for any errors in the content, or for any actions taken in reliance thereon.